Loading ...
Sorry, an error occurred while loading the content.

Re: Despite its efforts to fix vulnerabilities, Yahoo???s Mail users continue reporting hacking incidents - The Next Web

Expand Messages
  • Makc666
    Donna, Not the first time you say that your system was clean. It not true because every day your antivirus company adds new virus signatures to their
    Message 1 of 25 , Mar 12, 2013
    • 0 Attachment
      Donna,

      Not the first time you say that your system was clean.

      It not true because every day "your" antivirus company adds new virus signatures to their database. And if there was a new, undetected malware in you system, then how you can say that your system is clean.
      Also pay attention to the fact that future malware knows how to delete itself from your system.

      In other words there is no magic when your account is been hacked.
      And saying that it is not my fault is wrong.

      Maxim

      --- In Y-Mail@yahoogroups.com, Donna Lee <donna74128@...> wrote:
      >
      > I used to have a seal but it keeps disappearing so I gave up on uploading a picture.
      >
      > I do not have a key logger for my security system would find it. The both times that I got hacked my system was clean so I see that someone hacked into my Yahoo account both times. There is a new setting that I applied that keeps Internet cafe from getting in my account. I do not know if that will help but I hope so. So far so good. It has been three months since being hacked so I hope blocking an Internet cafe user has helped.
      >
      > Donna
    • Donna Lee
      http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/ This is sent for
      Message 2 of 25 , Jun 18, 2013
      • 0 Attachment
        http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/

        This is sent for informational purposes only.

        I wish Yahoo would find that hole for I was a victim of a hack yesterday!! I did not click on ANY links from others. I scanned my PC and she is clean so once again I had to change my password ARGH!

        I am running out of password ideas!!!

        Yahoo is loosing my confidence lately and I am thinking that I may cancel payment to Yahoo email. I love my groups though so I am stuck between a rock and a hard place!

        Donna Ford Lee ♂+♀=♡
        Tulsa, OK

        Sent Via My iPhone
      • Shal Farley
        Donna, ... Generally speaking, password ideas are a bad idea. I use PasswordSafe to generate and store random passwords, a separate one for each service I use.
        Message 3 of 25 , Jun 18, 2013
        • 0 Attachment
          Donna,

          > I am running out of password ideas!!!

          Generally speaking, password ideas are a bad idea.

          I use PasswordSafe to generate and store random passwords, a separate
          one for each service I use. It also helps protect against simple
          keylogging malware -- I never type my online passwords, PasswordSafe can
          fill in the username and password at most login pages, or copy/paste the
          password through the clipboard.
          <http://passwordsafe.sourceforge.net/>

          > Yahoo is loosing my confidence lately and I am thinking that I may
          > cancel payment to Yahoo email. I love my groups though so I am stuck
          > between a rock and a hard place!

          You don't need a Yahoo Mail address to run Yahoo Groups, and you
          certainly don't need a paid Mail Plus account. You need not feel stuck
          at all.

          -- Shal
        • Lorrie
          My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make
          Message 4 of 25 , Jun 18, 2013
          • 0 Attachment
            My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

            Lorrie

            Lorries Green World
            http://minilorrie.2itb.com
            Thompson, Manitoba, Canada

            --- On Tue, 6/18/13, Shal Farley <shal@...> wrote:
             

             

            Donna,

            > I am running out of password ideas!!!

            Generally speaking, password ideas are a bad idea.

            I use PasswordSafe to generate and store random passwords, a separate
            one for each service I use. It also helps protect against simple
            keylogging malware -- I never type my online passwords, PasswordSafe can
            fill in the username and password at most login pages, or copy/paste the
            password through the clipboard.
            <http://passwordsafe.sourceforge.net/>

            > Yahoo is loosing my confidence lately and I am thinking that I may
            > cancel payment to Yahoo email. I love my groups though so I am stuck
            > between a rock and a hard place!

            You don't need a Yahoo Mail address to run Yahoo Groups, and you
            certainly don't need a paid Mail Plus account. You need not feel stuck
            at all.

            -- Shal

          • Kenneth
            Perhaps a complicated password is more of a challenge for hackers, but that doesn t mean a simple password is safer.  They re not going to know whose
            Message 5 of 25 , Jun 18, 2013
            • 0 Attachment
              Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer.  They're not going to know whose passwords are more challenging until after the fact.  And if yours was less challenging, then they've just hacked yours sooner rather than later.


              From: Lorrie <minilorrie@...>
              To: Y-Mail@yahoogroups.com
              Sent: Tuesday, June 18, 2013 1:53 PM
              Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

               
              My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

              Lorrie

            • Jodi Upchurch
              A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There From: Lorrie Sent: Tuesday, June 18, 2013 3:53 PM To:
              Message 6 of 25 , Jun 18, 2013
              • 0 Attachment
                A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There
                 
                From: Lorrie
                Sent: Tuesday, June 18, 2013 3:53 PM
                Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                 
                 

                My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                Lorrie

                Lorries Green World
                http://minilorrie.2itb.com
                Thompson, Manitoba, Canada

                --- On Tue, 6/18/13, Shal Farley <shal@...> wrote:


                 

                Donna,

                > I am running out of password ideas!!!

                Generally speaking, password ideas are a bad idea.

                I use PasswordSafe to generate and store random passwords, a separate
                one for each service I use. It also helps protect against simple
                keylogging malware -- I never type my online passwords, PasswordSafe can
                fill in the username and password at most login pages, or copy/paste the
                password through the clipboard.
                <http://passwordsafe.sourceforge.net/>

                > Yahoo is loosing my confidence lately and I am thinking that I may
                > cancel payment to Yahoo email. I love my groups though so I am stuck
                > between a rock and a hard place!

                You don't need a Yahoo Mail address to run Yahoo Groups, and you
                certainly don't need a paid Mail Plus account. You need not feel stuck
                at all.

                -- Shal

              • Harryh
                The real risk of passwords lies in the fact that crackers can do them in short order - see
                Message 7 of 25 , Jun 18, 2013
                • 0 Attachment
                  The real risk of passwords lies in the fact that crackers can do them in short order - see http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

                  And should a hacker get into the user files where passwords are hashed, knowing a few facts can make the entire list vulnerable. Further since most users may use a similar password scheme for all their sites, banking may be at risk from an email hack.   I suspect that the only solution is a password generator that assigns a large random set of mixed characters per site.  Conversion to a generator can be painful but necessary.


                  From: Kenneth <justkenneth@...>
                  To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
                  Sent: Tuesday, June 18, 2013 5:22 PM
                  Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web



                  Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer. 
                  <snip>

                  From: Lorrie <minilorrie@...>
                  To: Y-Mail@yahoogroups.com
                  Sent: Tuesday, June 18, 2013 1:53 PM
                  Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

                   
                  My password is really simple and not very secure.  I have had it for years.  Never had any problems. 
                  <snip>






                • lena_kiev
                  ... Trojans steal cleartext passwords - stored in the browser, or when the form is filled (form-grabbing). Complexity of passwords doesn t matter at all.
                  Message 8 of 25 , Jun 18, 2013
                  • 0 Attachment
                    > From: Harryh <harryh89@...>

                    > And should a hacker get into the user files where passwords are hashed

                    Trojans steal cleartext passwords - stored in the browser, or when
                    the form is filled (form-grabbing). Complexity of passwords
                    doesn't matter at all. Strong (long, complicate, unique) passwords
                    are stolen as easlily as simple ones. In case of this cracker+spammer
                    strong passwords give false sense of security.
                  • Chris J Brady
                    The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of
                    Message 9 of 25 , Jun 19, 2013
                    • 0 Attachment
                      The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of Shakespeare. Neither is it a computer generating random letter passwords and trying them until one fits. That's old skool. 

                      The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest version. 

                      The virus script does two other things. Periodically - until removed - it sends an email out - with a one line URL to another roge website - to one, many, all contacts in the user's address book.

                      Secondly it sends the entire address book to the hackers. This can be used to send out fraudulent emails appealing for cash because the user has lost his/her passport on a surprise trip overseas, or has been imprisoned in a foreign country and needs urgent cash to be released, etc.

                      I have not found out how to remove the XML / Javascript / whatever code that represent the virus. Perhaps someone here can say. Virus protection apps will not detect it.

                      However I understand that one protection is to ALWAYS log out of a Yahoo session after finishing which apparently then kills the cookie containing the user's account and password.

                      But if the hackers have a user's complete address book then there's nothing to stop them from using the contents to send begging emails.

                      CJB ..
                         

                      --- On Wed, 19/6/13, Kenneth <justkenneth@...> wrote:

                      From: Kenneth <justkenneth@...>
                      Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                      To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
                      Date: Wednesday, 19 June, 2013, 0:22

                       

                      Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer.  They're not going to know whose passwords are more challenging until after the fact.  And if yours was less challenging, then they've just hacked yours sooner rather than later.


                      From: Lorrie <minilorrie@...>
                      To: Y-Mail@yahoogroups.com
                      Sent: Tuesday, June 18, 2013 1:53 PM
                      Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

                       
                      My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                      Lorrie

                    • Raymond B. Normandeau NYC
                      Isn t this how Facebook and LinkedIn etc are able to see which of your friends are already members ? Are perhaps all the hack victims also members of one of
                      Message 10 of 25 , Jun 19, 2013
                      • 0 Attachment
                        Isn't this how Facebook and LinkedIn etc are able to
                        "see which of your friends are already members"?

                        Are perhaps all the hack victims also members of one of the above?

                        --
                        Considering VistaPrint?
                        See http://www.ripoffreport.com/directory/vista-print.aspx
                        http://www.consumeraffairs.com/online/vistaprint.html

                        --- On Wed, 6/19/13, Chris J Brady <chrisjbrady@...> wrote:

                        From: Chris J Brady <chrisjbrady@...>
                        Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                        ...
                         
                        The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest
                        version. 
                        ...
                      • lena_kiev
                        ... Right. ... Right. ... Not cookie, but yahooID and password, not hashed. Then another piece of malware uses a bot in another victim s computer (in a random
                        Message 11 of 25 , Jun 19, 2013
                        • 0 Attachment
                          > From: Chris J Brady <chrisjbrady@...>

                          > The hackers of Yahoo accounts are not guys sitting at a PC keyboard
                          > randomly typing in characters like the proverbial monkeys typing in
                          > the complete works of Shakespeare. Neither is it a computer
                          > generating random letter passwords and trying them until one fits.

                          Right.

                          > The vulnerability is that a user having clicked on an embedded URL
                          > in an email is taken to a rogue webpage. Or maybe has not even
                          > clicked on an embedded URL and in the course of surfing has
                          > been taken to a rogue webpage. This has installed a virus (a
                          > snippet of XML / Javascript / whatever / code) onto the user's PC.

                          Right.

                          > This is turn sends the the Yahoo cookie file containing the account
                          > name and password to the hackers.

                          Not cookie, but yahooID and password, not hashed.

                          Then another piece of malware uses a bot in another victim's computer
                          (in a random country) to give the yahooID and password to the
                          m.yahoo.com website (for mobile devices) and get an yahoo cookie
                          (containing a hash) in return. That leaves a line "Mobile Logged In"
                          in first victim's "Recent sign-in activity" (linked from Account Info).
                          Then (usually via the same bit, sometimes via another bot in another
                          country, but in under a minute) it uses that cookie to access
                          regular mail.yahoo.com website to harvest email address from
                          letters in Sent and Inbox folder (and possibly Contacts too) and spam them.
                          That leaves another line "Mail Access" in first victim's
                          "Recent sign-in activity".

                          I can't test myself because my country isn't in the list
                          (yahoo cannot send me a SMS).
                          Please somebody who "Set up your second sign-in verification"
                          Sign Out, then on the m.yahoo.com/mail website sign in,
                          preferably via another ISP.
                          Does the m.yahoo.com website (used by the felon too)
                          require to type something from SMS?

                          > The virus script does two other things. Periodically - until removed

                          Until the password is changed. The trojan which stole the password
                          doesn't send the spam, it only phones home the stolen password.

                          Another piece of malware does this:

                          > it sends an email out - with a one line URL to another roge
                          > website - to one, many, all contacts in the user's address book.

                          Or/and addresses harvested from letters in Send and Inbox folders.

                          > I have not found out how to remove the XML / Javascript / whatever
                          > code that represent the virus. Perhaps someone here can say. Virus
                          > protection apps will not detect it.

                          The felon tests the drive-by exploit kit
                          and (stealthy encrypted polymorphic) trojan it installs
                          aganinst multiple antiviruses
                          and makes sure that the exploit kit and trojan
                          can evade or disable all the antiviruses.
                          Antivirus vendors lost the war.

                          > However I understand that one protection is to ALWAYS log out of a
                          > Yahoo session after finishing which apparently then kills the cookie
                          > containing the user's account and password.

                          The trojan steals password, not cookie. So, to Sign Out is useless
                          in this case.
                        Your message has been successfully submitted and would be delivered to recipients shortly.